Amazons Alexa Could be Tricked into Spying on Users

Amazon's Alexa Could be Tricked into Spying on Users

Researchers at Checkmarx were able to build an Alexa skill which could be used to spy on users within earshot. Amazon has now closed the loophole.

Security researchers say they have found a way to make Amazon's Alexa listen in on its users indefinitely, and provide a transcript of everything said in front of the device.

Researchers at cybersecurity firm Checkmarx were able to create an Alexa skill - an applications for the voice-activated assistant - that was able to eavesdrop on users. They created what appeared to be a simple calculator skill for solving math problems but it was actually designed to send transcripts of anything said within earshot of the device back to its creators.

The Alexa service is designed to be fully awake and listening when the user requests the device to list. The active cycle is supposed to be relatively short, with Alexa informing the user when an open session is closed and it is going back to sleep. Researchers decided to examine if the way Alexa listens like this could be exploited.

Once Alexa has performed a task, the code makes a "Should End Session" query, in order to determine if the session remains open or closed after Alexa reads back text, potentially allowing Alexa to stay active for another session. In order to stay active for another session, Alexa sends the user a vocal prompt, informing them that it is still active.

However, researchers found that Alexa's API accepts an empty reprompt code, allowing the vocal prompt to be silent. That means that while Alexa believes it has told the user that the device is still listening, the user is unaware that this is the case.

The blue light on the Echo could give away that the device is still active, but it's possible that users won't notice, or simply won't be looking at the device.

“Echo users need to recognize that 'Alexa Skills' are third-party applications. Just like with any other computing device, users need to be cautious about what applications (or skills) they load and who is providing them. Poorly designed or blatantly malicious applications can lead to degraded user experience as well as privacy or security exposures," security researcher for Tripwire's Vulnerability and Exposure Research Team, Craig Young said. “I would not necessarily call this a security loophole on the part of Amazon. The bottom line here is that for this ‘hack’ to work, a user must load and activate the malicious skill and then ignore the fact that Echo’s blue light remains on.”

Checkmarx disclosed its findings to Amazon, which told the media that it has acted to ensure that skills can no longer be exploited in this way.

"Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do," a spokesperson said.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Study: Only 35 Percent of Companies Include Cybersecurity Teams When Implementing AI

    Only 35 percent of cybersecurity professionals or teams are involved in the development of policy governing the use of AI technology in their enterprise, and nearly half (45 percent) report no involvement in the development, onboarding, or implementation of AI solutions, according to the recently released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • New Report Series Highlights E-Commerce Threats, Fraud Against Retailers

    Trustwave, a cybersecurity and managed security services provider, recently released a series of reports detailing the threats facing the retail sector, marking the second year of its ongoing research into these critical security issues. Read Now

  • Stay Secure in 2024: Updated Cybersecurity Tips for the Office and at Home

    Cyber criminals get more inventive every year. Cybersecurity threats continue to evolve and are a moving target for business owners in 2024. Companies large and small need to employ cybersecurity best practices throughout their organization. That includes security integrators, manufacturers, and end users. Read Now

Featured Cybersecurity

Webinars

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3